Documents

Abstract

The number of apps in the Google Play store (~3 million) necessitates anautomated approach towards analysis for security threats. Such analysis relieson the ability to fully comprehend, and potentially modify, the actionsbeing taken by a given app, whether low-level (system call) or high-level(services such as SMS or Location). Therefore, this thesis seeks to determinehow accurate and scalable methods for the analysis and manipulation of Android apps/malware can be constructed that transcend the significant changes to the Android system through each release.First, the author describes the potential of utilising a system call only basedapproach to reconstructing both low-level and high-level behaviours. Anovel method for automatically reconstructing system call information ina version-agnostic manner is presented, as is the robust, scalable and extensibleframework that enables real-time reconstruction, analysis and manipulationof low-level and high-level operations using this approach. While prior work does explore utilising a system call based approach it is a primitive implementation supporting a single version of Android and requiring significant manual effort. While this approach permits automatic system call reconstruction it cannot reconstruct Binder ICC and Android objects.Next, the author explores a novel approach for reconstructing Binder ICCand Android objects through static analysis of the Android framework sourcecode. This approach precisely determines the relationship between Binderinterfaces and Android objects, permitting automatic generation of reconstruction code to correctly and efficiently reconstruct Binder ICC in real-time, integrating the automatically generated code into the framework.The author demonstrates the efficacy of this design by building an informationleakage detection plug-in that uses differential analysis to detect leakage of sensitive information. This plug-in is further extended to test anti-evasion techniques.Finally, the author discusses utilising the approach in other ways, includingautomatically constructing Berkeley Packet Filter support for on-deviceanalysis.